Project

General

Profile

Inherited Site Security Review » History » Version 4

Jon Goldberg, 11/09/2020 07:36 PM

1 4 Jon Goldberg
{{last_updated_at}} by {{last_updated_by}}
2
3 1 Jon Goldberg
# Inherited Site Security Review
4
5 3 Jon Goldberg
This is a checklist of steps to take when inheriting a site that Megaphone did not build.  This list is not comprehensive, and we should add to it over time.
6 1 Jon Goldberg
7
* Reset the passwords of server and CMS (encourage client to do latter)
8
* Disable unnecessary logins of server and CMS (encourage client to do latter)
9
* If CiviCRM, check civicrm_contact for API keys.  Remove/change them.
10
* If CiviCRM, check for CiviConnect apps.
11 3 Jon Goldberg
* Remove interactive shell login from legitimate server users who don't need a shell: `passwd -l $USERNAME`
12
* Remove all unnecessary public RSA keys for ssh access `rm /home/$USERNAME/.ssh/authorized_keys*`
13
* Remove unnecessary software from the server.  TODO: Explain how to find this (dpkg -l, yum list installed, ps -ef, etc.)
14 1 Jon Goldberg
* Review all running services on the server with service --status-all or (preferably, if using systemd) systemctl
15
* check listening servers with # netstat -lp
16
* compare that output to an nmap scan of localhost # nmap -sT -O localhost
17 2 Jon Goldberg
 * they should line up closely. if nmap shows a port open that netstat does not, run a rootkit checker and investigate further.
18
* Compare THAT output to an nmap scan from another computer (your own - or a dev server if your ISP blocks some ports): `nmap -sT -O www.example.org`
19 1 Jon Goldberg
* install fail2ban if not already installed.  Consider also tripwire and some iptables.
20 2 Jon Goldberg
* Check for hacks.  While [this resource](https://hq.palantetech.coop/projects/commons/wiki/Unhacking_a_WordPress_site) is incomplete, it suffices for now.  Despite the name, it's useful for Drupal AND WordPress.  Be sure to grep a dump of the database and not just the filesystem.